Fix SSL sec_error_unknown_issuer with Comodo PositiveSSL in Firefox (Apache2)

Installing Comodo PositiveSSL certificate on Apache server for a client, everything worked fine in Chrome, Firefox on OS X and (surprisingly) even in IE, but Firefox on Windows was complaining with the following error (might be something to do with older version or some other settings, but didn’t really test it that extensively):

Invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)

After a bit of googling I came across a blog post by John Bakker, where he describes a quick and easy fix, merging all .crt files you receive from Comodo into one .ca_bundle.

To do this, the easiest way is to combine (concatenate) multiple certificates into one file, named www_yourdomain_com.ca_bundle (of course replace www_yourdomain_com with your actual domain with underscores):

  1. AddTrustExternalCARoot.crt
  2. COMODORSAAddTrustCA.crt
  3. COMODORSADomainValidationSecureServerCA.crt
  4. www_yourdomain_com.crt
cat www_yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > www_yourdomain_com.ca_bundle

Note: Device/Entity Cert Intermediates need to be in reversed order.

Place it in the same place you put your .key and .crt and .csr files for your certificate.
Now instead of pointing it to the individual files you point to just the bundle from your vhost.

SSLEngine on
SSLCertificateFile /etc/ssl/certs/www_yourdomain_com.crt
SSLCertificateKeyFile /etc/ssl/certs/www_yourdomain_com.key
SSLCertificateChainFile /etc/ssl/certs/www_yourdomain_com.ca-bundle

Restart apache and enjoy secure connection to your site without SSL errors in all browsers.